|
 |
 |
It’s increasingly difficult to see through the hype of AI in cybersecurity in a sea of shiny vendor demos that fail to deliver in production.
We recently aired a discussion between Gourav Nagar (Head of Information Security and IT at Upwind) and Jon Hencinski (Head of Security Operations at Prophet Security, ex-Expel) that provides a practitioner’s perspective on building comprehensive AI-driven cybersecurity programs.
Key topics they discussed include:
• Getting organizational buy-in (where leadership and practitioners are aligned)
• Improving alert detection, triage, and investigations
• Maturing your cybersecurity program (alert management is no longer a constraint)
Looking for some of the AI SOC best practices discussed?
1. Cover all the alerts you care about: You can feed in informational, low, and medium alerts so even these signals can be investigated while they’re early indicators, not after they’ve been aged into incidents.
2. Require deterministic consistency: Your Tier 1 analyst at 3:20am may not function like your Tier 2 at 12:00pm, but your AI SOC platform should absolutely enforce the same level of deterministic consistency and rigor in its reasoning and conclusions.
3. Unshackle your detection engineers: Stop suppressing rules because your team can’t handle the volume.
4. Keep humans in the loop for remediation: There is a distinction to be made between autonomous investigation and autonomous remediation, and the latter requires trust to be built amongst the practitioners on your team.
5. Verify the AI with a parallel run: It’s critical you run the AI alongside your SOC for a couple of weeks (or more) to build trust in its accuracy in your environment and team’s workflow.
Welcome to another _secpro!
Cybersecurity in 2026 is being shaped by a convergence of accelerating attack speeds, expanding digital ecosystems, and increasingly autonomous adversary capabilities. Recent threat intelligence points to a shift from manually orchestrated intrusions toward highly adaptive operations, including the emergence of agentic AI systems capable of planning and executing multi-stage attacks with minimal human oversight. These developments are enabling adversaries to scale campaigns and adjust tactics in real time, while AI-assisted reconnaissance and credential abuse continue to compress intrusion timelines. In some environments, attackers are now moving laterally within minutes of initial access, leaving little margin for delayed detection or response.
At the same time, threat actors are increasingly exploiting trusted access paths and identity-based weaknesses rather than relying solely on traditional malware. Credential compromise, third-party exposure, and cross-domain movement remain dominant techniques, reflecting the growing dependence of organizations on interconnected services and supply chains. Ransomware groups continue to prioritize sectors where operational disruption increases the likelihood of payment, while intelligence-driven campaigns such as recent MuddyWater activity demonstrate sustained investment in targeted espionage operations.
Despite the growing sophistication of adversaries, many successful intrusions still exploit familiar weaknesses, including poor credential hygiene and unpatched systems. The current threat landscape underscores a clear reality: as attack capabilities evolve, resilience depends not only on advanced defenses but also on disciplined execution of fundamental security controls.
If you want more, you know what you need to do: sign up to the premium and get access to everything we have on offer. Click the link above to visit our Substack and sign up there!
Cheers!
Austin Miller
Editor-in-Chief
 |
The MCP Maturity Model was created by Stacklok, who have built an MCP platform and are working with enterprises to put MCP into production. Their Applied AI Engineers work hands-on with leaders to curate trusted registries, deploy advanced security measures and light up AI agents. You can learn more about the company at